DATA PRIVACY, DESTRUCTION, AND DISCLOSURE POLICY
DATA PRIVACY, DESTRUCTION, AND DISCLOSURE POLICY
1. Policy Statement
Diva Billing, LLC (hereafter referred to as “Diva”) is committed to protecting the privacy and confidentiality of Personal Identifying Information about its employees, customers, business partners and other individuals. Diva’s policies and actions are intended to promote this commitment to protecting Personal Identifying Information.
2. Scope
This Data Privacy, Destruction, and Disclosure Policy (“Policy”) sets forth the standard that shall guide all Diva employees and Agents, and is intended to comply with the requirements set forth in C.R.S. §§6-1-713, 6-1-713.5, and 6-1-716.
3. Destruction of Personal Identifying Information
3.1. When Personal Identifying Information in Diva’s possession is no longer needed by Diva, the paper or electronic documents containing Personal Identifying Information shall be destroyed by shredding, erasing, or otherwise modifying the Personal Identifying Information to make the Personal Identifying Information unreadable or indecipherable.
3.2 Diva may arrange for the destruction protocols in Section 3.1 to be performed by a third party, subject to Section 4 of this Policy.
4. Third Party Service Providers
4.1. Before disclosing Personal Identifying Information to a third-party service provider, Diva will require that the third-party service provider implement and maintain reasonable security procedures and practices that are:
4.1.1. Appropriate to the nature of the Personal Identifying Information disclosed to the third-party service provider;
4.1.2. Reasonably designed to help protect the Personal Identifying Information from unauthorized access, use, modification, disclosure, or destruction;
4.1.3. Include a notification protocol to inform Diva, as soon as possible, of any data breaches that could affect Personal Identifying Information stored on Diva’s behalf.
4.1.4. Include a cooperation obligation in the event of a data breach on the third-party service provider’s system that permits Diva to conduct investigations required by this Policy.
5. Disclosure of Security Breaches
5.1. In the event that any employee of Diva becomes aware of a Security Breach of computerized data containing Personal Identifying Information about a Colorado resident, the employee should immediately notify both the employee’s supervisor and the Office Manager.
5.1.1. The Office Manager, or another employee designated by Diva to handle data breaches, shall conduct a prompt, good-faith investigation to determine the likelihood that Personal Identifying Information has been or will be misused.
5.1.2. If the investigation results in a determination that the misuse of Personal Identifying Information has not occurred and is not reasonably likely to occur, no disclosure is required.
5.1.3. If the investigation results in a determination that the misuse of Personal Identifying Information has occurred or is reasonably likely to occur, the investigating employee shall ensure that the following occur:
5.1.3.a. Subject to the legitimate needs of law enforcement, and consistent with any measures necessary to determine the scope of the breach, and to restore the reasonable integrity of the computerized data system, notice must be given to all affected Colorado residents in the most expedient time possible and without unreasonable delay, but no later than thirty days after the date of determination that a security breach occurred.
5.1.3.b. Notice must include at least the following information: (1) The date, estimated date, or estimated date range of the security breach; (2) a description of the Personal Identifying Information that was acquired or reasonably believed to have been acquired as part of the security breach; (3) information that the resident can use to contact Diva to inquire about the security breach; (4) the toll-free numbers, addresses, and websites for consumer reporting agencies (See Appendix A); (5) the toll-free numbers, addresses, and websites for the federal trade commission (See Appendix A); (6) a statement that the resident can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes; and (7) advisement to promptly change passwords, security question or answer, or to take other steps appropriate to protect the online account maintained by Diva, or its third party service provider, and all other online accounts for which the person whose personal information has been breached uses the same username or e-mail address and password or security question or answer.
5.1.3.c. If Diva maintains or provides e-mail accounts to residents, the notice required by Section 5.1.3.a above should never be sent to such e-mail accounts.
5.1.3.d. The cost of the Notice shall be borne by Diva, and will not be passed on to affected residents.
5.1.3.e. If pursuant to its investigation, Diva reasonably believes that the security breach has, or will, affect 500 Colorado residents or more, Diva must provide notice of the security breach to the Colorado Attorney General in the most expedient time possible and without unreasonable delay, but no later than thirty days after the date of determination that a security breach occurred.
5.1.3.f. If, pursuant to this Policy, Diva is required to notify more than 1,000 Colorado residents of a security breach, then notice must also be sent, in the most expedient time possible and without unreasonable delay to all Consumer Reporting Agencies (see Appendix A). The notice to Consumer Reporting Agencies should state (1) the anticipated date of the notification to affected Colorado residents; and (2) the approximate number of residents who are to be notified.
6. Definitions
6.1. “Agent” means a third party that collects and/or uses Personal Information provided by Diva to perform tasks on behalf of and under the direction of Diva.
6.2. “Consumer Reporting Agency” means a consumer reporting agency that regularly engages in the practice of assembling or evaluating, and maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer's credit worthiness, credit standing, or credit capacity, each of the following regarding consumers residing nationwide: (1) Public record information; (2) Credit account information from persons who furnish that information regularly and in the ordinary course of business.
6.3. “Financial Transactional Device” means any instrument or device whether known as a credit card, banking card, debit card, electronic fund transfer card, or guaranteed check card, or account number representing a financial account or affecting the financial interest, standing, or obligation of or to the account holder, that can be used to obtain cash, goods, property, or services or to make financial payments, but shall not include a "check", a "negotiable order of withdrawal", and a "share draft.”
6.4. “Personal Identifying Information” includes the following information stored in either paper or electronic format: (1) social security numbers; (2) Personal Identification Numbers; (3) a password; (4) a pass code; (5) official state or government-issued driver’s license or identification card; (6) a government passport number; (7) biometric data; (8) employer, student, or military ID number; and (8) a Financial Transactional Device.
6.5 “Security Breach” means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity. Good faith acquisition of personal information by an employee or agent of a covered entity for the covered entity's business purposes is not a security breach if the personal information is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure.